Ragnor Comerford 05a8bd5de1 server: gate /ingest /branches/* /schema/apply on per-actor admission ... Closes the gap that admission control only fired on /change. A heavy actor sending bulk-ingest traffic could exhaust shared engine capacity (Lance I/O threads, manifest churn) without hitting the per-actor cap. Wires `state.workload.try_admit(&actor_arc, est_bytes)` into the five remaining mutating handlers AFTER Cedar authorization (so denied requests don't consume admission slots) and BEFORE the engine call. Byte estimates per handler: - /ingest: request.data.len() (NDJSON body) - /schema/apply: request.schema_source.len() - /branches/create, /branches/delete, /branches/merge: 256 (small JSON; the heavy work is bounded per-(table, branch) by the engine's writer queue rather than by request size) The admission guard is held in `let _admission = ...` so it stays alive until handler return, releasing the count permit + decrementing the byte budget on drop. Pinned by `ingest_per_actor_admission_cap_returns_429` (previous commit). The test still fails on the Retry-After header assertion; the next commit emits the header. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-08 16:57:53 +02:00
..
examples	mr-686: bundle PR 0/1a/1b foundation + PR 2 catalog/schema_source ArcSwap	2026-05-07 16:22:38 +02:00
src	server: gate /ingest /branches/* /schema/apply on per-actor admission	2026-05-08 16:57:53 +02:00
tests	tests: pin /ingest admission gate + 429 Retry-After (red)	2026-05-08 16:57:01 +02:00
Cargo.toml	server: add WorkloadController for per-actor admission (PR 2 Step E)	2026-05-07 16:59:45 +02:00